cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

Cisco Secure Unique Device Identifier Certificate Expiration Impacts Certain Cisco Products – Additional Information Available

344
Views
10
Helpful
0
Comments

Cisco Secure Unique Device Identifier (SUDI) certificates on certain Cisco products will expire either on [Date of Manufacture + 10 Years] or on May 14th, 2029 (2029-05-14), whichever is earlier.

If a Cisco product may be adversely impacted by an expired SUDI, a Field Notice (FN) with all relevant details will be published to address the issue. Please see the reference links at the bottom of this article for a list of already published field notices. This article provides additional information about SUDI certificates and this issue.

Question 1: What is SUDI?

Answer: The Secure Unique Device Identifier, or SUDI, is an IEEE 802.1AR-compliant secure device identity in an X.509v3 certificate which maintains the product identifier and serial number. The identity is implemented at manufacturing and is chained to a publicly identifiable root certificate authority. The SUDI can be used as an unchangeable device identity for configuration, security, auditing, and management. The SUDI certificate, the associated key pair, and its entire certificate chain are stored in the tamper-resistant Trust Anchor module (TAm) chip. Furthermore, the key pair is cryptographically bound to a specific Trust Anchor chip and the private key is never exported. This feature makes cloning or spoofing the identity information virtually impossible.

The SUDI can be used for asymmetric key operations such as encryption, decryption, signing, and verifying that allow passage of the data to be operated upon. This capability makes remote authentication of a device possible. It enables accurate, consistent, and electronic identification of Cisco products for asset management, provisioning, version visibility, service entitlement, quality feedback, and inventory management.

Question 2: What is the issue with original SUDI certificate?

Answer: Since introduction, SUDI certificates were issued with an expiration date of 10 years from date of manufacture, or on May 14, 2029 (whichever came first). Therefore, without intervention, a device manufactured prior to May 2019 will have its device certificate expired when it reaches the 10-year mark. A device manufactured after May 14th, 2019 will have a SUDI certificate lifetime of fewer than 10 years and will expire on May 14, 2029. Although devices with expired SUDI certificates will continue to operate (i.e. they will boot up and run without errors), certain features such as: HTTPS/TLS, PKI/RA, SSH, PnP which rely on SUDI-based network authentication may not function after the certificate expires. 

Question 3: What is Cisco doing to address the SUDI expiry issue?

Answer: New Cisco Certificate Authorities are issuing SUDI certificates called SUDI-2099 certificates that are valid until the end of the century (December 2099). 

Question 4: How do I know if my product is potentially impacted by an expired SUDI?

Answer: For route/switch processors, standalone Cisco Routers and Switches, Optical, IP Phones, Wireless Access Points/Controller, IoT devices and Datacenter Server products these features may be impacted when the device’s SUDI certificate expires if they provide the following features using device’s SUDI certificate for authentication over the network:

  • HTTPS/TLS
  • PKI/RA
  • SSH
  • Zero Touch Provisioning (ZTP) using a non-Cisco ZTP server

Question 5: Are there cases that impacted products will still function with an expired SUDI?

Answer: There are use cases that a SUDI certificate with a 2029 or earlier expiration date will not impact your device’s functionality upon expiry and therefore, no actions are required on the customer side. These use cases include:

  • Cisco IOS-XR based products are not impacted.
  • Cisco Zero-Touch Provisioning (ZTP) solutions (i.e. Cisco device Plug-and-Play (PnP) Connect feature) with Cisco DNA-C have been updated to ignore the expired SUDI.
  • Cisco SD-WAN (Viptela) solution will be updated with a fix. This update will be completed before existing SUDIs first expire in 2024.
  • Cisco Meraki dashboard will be updated with a fix. This update will be completed before existing SUDIs first expire in 2026.
  • Cisco Multiplatform Phones (MPP) fielded units will be updated with a fix. This update will be completed before existing SUDIs first expire in 2023.
  • Cisco NCS2K Optical will be updated with a fix. This update will be completed before existing SUDIs first expire in 2023.
  • Cisco Expressway will be updated with a fix. This update will be completed before existing SUDIs first expire in 2026.
  • Cisco ACI-Nexus 9000 will be updated with a fix. This update will be completed before existing SUDIs first expire in 2024.

Question 6: How do I check my impacted product’s SUDI certificate expiration date?

Answer: If your product uses SUDI for network authentication, you can use the following commands for showing your SUDI certification expiration date:

For impacted IOS/IOS-XE based products:

# show crypto pki certificate

Look for Validity Date ‘end date:’ of the CISCO_IDEVID_SUDI Trustpoints with the command output. Example:

Validity Date:
start date: 00:03:04 UTC Nov 24 2015
end date: 00:03:04 UTC Nov 24 2025
Associated Trustpoints: CISCO_IDEVID_SUDI

For impacted NXOS based product:

Use the following OpenSSL command on each of the SUDI certificate file.

look for ‘notAfter=’ date of the command output:

# openssl x509 -noout -dates -issuer -subject -in /securedata/ssl/server.crt

Example:

notBefore=Nov 25 13:14:37 2019 GMT
notAfter=May 14 20:25:42 2029 GMT
issuer= /O=Cisco Systems/CN=Cisco Manufacturing CA
subject= /serialNumber=PID:N9K-C93180YC-FX3S SN:FDO234117E2/CN=N9K-C93180YC-FX3S

Note: You must have ‘root’ user privilege to run the openssl command.

Question 7: What can a customer expect to receive from Cisco to address this issue?

Answer: If a product may be adversely impacted by an expired SUDI, a Field Notice (FN) with all relevant details will be published to address the issue.

The following are the published Field Notices:

Customers can post their questions to ask-trustworthy@cisco.com. In case customers have a technical issue or need technical support on SUDI certificate, please open a support TAC case with Cisco Technical Support.

Content for Community-Ad